On July 11, the Federal Senate approved Bill 53/2018, which regulates the protection of personal data in Brazil (LGPD).
With broad implications, the LGPD draws on the recently implemented General Regulation on Data Protection of the European Union (GDPR), establishing obligations for any persons or companies that collect / treat personal data or offer goods or services in Brazil, even though the collection/treatment takes place abroad and regardless of the nationality of those involved, with rare exceptions.

We highlight that the LGPD is still pending a sanction by the President of the Republic and there is a significant risk that relevant parts will be vetoed, in particular, the one which creates the National Data Protection Authority. We will follow the development of this issue with specific attention.

Among the new rules approved by the National Congress, we highlight:

Principles.  The LGPD establishes principles that should be observed in the activities of processing personal data, including good faith, purpose, necessity, free access, security, and accountability, as proof of the adoption of effective measures capable of compliance with the rules for the protection of personal data.

Treatment of Personal Data.  The processing of personal data may only be carried out in the cases provided for in the LGPD. Among the hypotheses foreseen are the express consent of the holder and the legitimate interest of the controller. In the case of consent, this must be provided in writing or by other means that demonstrates the manifestation of the will, and the controller bears the burden of proving that it was obtained under the law, and may be revoked at any time. In turn, legitimate interest would theoretically allow the use of data for purposes other than those initially authorized by their owners or those that led to their creation,

Personal Data, Sensitive Personal Data, and Public Data.  “Personal data” means any information related to the natural person identified or identifiable (holder) – name, CPF, e-mail address, etc. The LGPD still defines “sensitive personal data” as any information on racial or ethnic origin, religious belief, political opinion, trade union membership or organization of a religious, philosophical or political nature, as well as data relating to health or sex life, genetic data or biometric when linked to a natural person. The requirement of consent provided for in the LGPD may be waived for personal data made manifestly public by the holder.

Authority.  The LGPD provides for the creation of a public authority responsible for compliance with the GDDS. The National Data Protection Authority (Authority) shall be bound to the Ministry of Justice and shall supervise, apply penalties and issue regulations regarding the protection of personal data.

Rights of the Holders. holders of personal data have had their rights expanded, especially direct access to data, rectification, cancellation/exclusion, opposition to treatment, information and explanation on the use and portability of personal data.

Responsibilities of Agents.  Agents responsible for the collection/processing of personal data (controllers and operators) may be held jointly and severally liable in case of violation of the LGPD. However, the liability of the operator may be limited to its contractual and information security obligations, provided that it does not violate its obligations under the LGPD.

Data Protection Officer.  The controllers must define who will be in charge of data protection in the company. This professional, usually called the Data Protection Officer, will be the focal point among the controllers, the Authority, and the data holders.

Data Protection Impact Report. The Authority may determine to the controller that it elaborates a personal data protection impact report (PDPIR), regarding its operations of data treatment. The elaboration of the PDPIR may be mandatory in situations already characterized as risky or, at the request of the Authority, when the data processing is based on legitimate interest. The PDPIR should contain at least a description of the types of data collected, the methodology used for its collection, and details of information security.

International Transfer of Personal Data.  The international transfer of personal data is permitted only in specific cases, among them, (1) when the controller offers and demonstrates guarantees of compliance with the principles, rights of the holder and the data protection rules set forth in the LGPD, in the form of (a) specific contractual clauses for a particular transfer; b) contractual standard clauses; c) global corporate standards; (d) regularly issued stamps, certificates and codes of conduct subject to the approval of the Authority, or (2) where the holder provides specific consent for the international transfer.

Incident Reporting.  The controller shall notify the Authority and the holder of the occurrence of a security incident that could cause significant risk or damage to the owners within a reasonable time.

Penalties. The LGPD establishes penalties in case of noncompliance, including warnings, suspension, and prohibition of data processing regarding the infraction, or application of a fine equivalent to up to 2% of gross sales in Brazil, limited to R $ 50 million.

Deadline. The LGPD will enter into force in 18 months, counting from the date of the presidential sanction.

The teams of the Fraga, Bekierman & Cristiano Advogados office in Rio de Janeiro and São Paulo are available to clarify any doubts and assist in the implementation of the essential changes required to comply with the briefly expected new legislation on the protection of personal data.